brcmfmac: fix firmware crash due to mismatched completion handlers#7460
Merged
Conversation
Without a valid cookie to distinguish pending concurrent completion events, mismatches occur under concurrency that crash the firmware. This fix uses a monotonous atomic counter that guarantees unique ids. Signed-off-by: Bogdan Nicolae <bogdan.nicolae@acm.org>
Contributor
|
I can see how that might make a difference, but also it doesn't look as if it could break anything. |
Contributor
|
@bnicolae Could you please send this patch upstream? |
Contributor
Author
|
Sure, happy to, but let me investigate and test some more. I'm not sure we really need to set the cookie anyway, maybe using the counter for params->packet_id directly works just fine. I used the cookie because the Infineon backports use it too (but in a hacky way, they set the cookie to a pointer, which is not deferenced anyhere, but a reallocation could regenerate the same pointer, therefore at risk of not being unique). If the cookie is not used upstream, then setting params->packet_id is cleaner. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Without a valid cookie to distinguish pending concurrent completion events, mismatches occur under concurrency that crash the firmware. The cookie is used to populate mf_params->packet_id and is sent to firmware via vif->mgmt_tx_id. Later, completions are matched using if (packet_id != vif->mgmt_tx_id). This fix uses a monotonous atomic counter that guarantees unique ids.